In the European Union, health data is regulated by a comprehensive set of legislative documents. This page provides an overview of these regulations and highlights the key aspects each one contributes to the overall framework.
Legal Framework
This legislative framework is built on laws governing data collection and processing. It is further enhanced by regulations ensuring transparency in the public sector (as health information systems are largely public services in many EU Member States), and the role of intellectual property and trade secrets.
General Data Protection Regulation (GDPR): Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data
- Establishes health data as a form of personal data that requires privacy protection
- Outlines the rules under which health data can be processed for primary and secondary purposes, along with their respective consent requirements
Open Data Directive: Directive 2019/1024 on open data and the re-use of public sector information
- Intends to promote the use of open data and stimulate innovation in products and services
- Sets up the rules for the re-use of public sector information
Data Act: Regulation 2023/2854 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828
- Establishes that any data generated by using goods and services needs to be fairly accessible and reusable
- Specifies specific requirements for the accessibility and transfer of the generated data
- Outlines the conditions under which data that are protected under trade secrets or intellectual property rights can be exempted from sharing
Data Governance Act: Regulation 2022/868 on European data governance and amending Regulation 2018/1724
-
Provides processes and structures that aim to facilitate data sharing while retaining a high level of data protection
Interoperable Europe Act : Regulation 2024/903 laying down measures for a high level of public sector interoperability across the Union
-
Specifies the framework for cross-border interoperability of public services
Directive 96/9/EC on the legal protection of databases
- Determines that the author of a database or dataset has the sole right to make it available to the public
- Outlines that the protection on databases does not extend to the content of the databases, namely the data
Regulation on the European Health Data Space (EHDS)
- Introduces a European framework for the processing of health data for primary and secondary use
- Improves individuals’ access to and control over their personal electronic health data, while also enabling certain data to be reused for public interest, policy support, and scientific research purposes
A toolbox on existing practices and guidelines on ethical and legal aspects of handling health information
In October 2023, the Population Health Information Research Infrastructure published a document aiming to act as an ELSI (Ethical, Legal, and Social Issues) toolbox, guiding researchers on existing practices and guidelines on ethical and legal aspects of handling and exchanging health information. The document is accessible here.